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2004: The BIOS size of 60% of all notebooks suffered an increase 
of 25Kb 

Fast forward 5 years, 2009: 



' We were trying to install our own BIOS rootkit (Persistent BIOS 
Infection Talk, CanSecWest / Syscan) 
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What is the rootkit? 



Absolute Corp. Computrace, Anti-theft agent 

' Option ROM Embedded in Phoenix BIOS 

' Agreements with law enforcement agencies. 

' Inside notebooks from HP, Dell, Lenovo, Toshiba, Gateway, Asus, 
Panasonic, and more. 

Option ROM header: 



00000000 55 aa 2a eb 15 43 6f 6d 70 75 54 72 61 63 65 20 
00000010 56 38 30 2e 38 36 36 78 Id 00 e9 5c 01 50 43 49 
00000020 52 17 19 34 12 00 00 18 00 00 06 00 00 2a 00 00 



U . * . . CompuTrace 
V80.866x. . A.PCI 
R. .4 *. . 
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Basic Inner workings: 



See patent application US 2006/0272020 Al 



ITFS / bitlocke 
driver 



BIOS 



odification from 
IOS while booting 



Activation via 

secret SMBIOS 

API or DMI 

Strings 



Boot 



Windows 98/: 



)/XP/Vista 32/64 



Agent 



Injects into IE 
And calls Home 



RPC-like over 
plain HTTP 



Home: 
^search.namequery.coi 
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PCI Header 
Reserves memory (PMM) 
Loads Agent Inst. Module 
Resize (Unload) 



Installs Agent in supported OSes 
Supports NT/2000/XP and 9x/Me 

jpports FAT/FAT32 and 
NTFS 



Agent self-installs instance 
As service in OS 
"he Agent service once 
Installed, initiates all server 
Sessions (RPC over HTTP-like) 
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Problems found: 



Huge privacy risk (bad/no authentication) 

* Anyone could activate it with enough privileges 
Anyone can change the configuration 

* Anyone can de-activate it (at least in certain known cases) 
Whitelisted by AV (potentally indetectable) 
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More problems found: 



* Use of URL instead of IP (hosts redirection) 

* Configuration block modification: 
Demo if there is time... 



Configuration block XOR 0xB5 : 
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Stub agent: Unauthenticated BIOS code execution 



■■ i =t -ii ■ -I hCA d =r*i : i j r* 



Second Stage (AIM) loader, Stub Agent (DELL Vostro 1510 Computrace V 70.785 





















segt 


300: 


0227 


mov 


di, bx 










seg00( 
segOOt 


3:01CF 
3:01CF 


sub_lCF 


proc n 
push 


=ar ; CODE 
ex 


SREF: sub_27F+2 


0|P 




segt 
segt 


300: 
300: 


0229 
022B 


sub 
shr 


di, bp 
di, 2 










segOOt 


3:01D0 




pop 


es 








segt 


300: 


022E 


add 


di, si 










segOOt 

ODrvrifl 


3:01D1 
"i ■ n 1 Ti 1 




assume 


es: nothing 
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segt 


300: 


0230 


inc 


di 










seguu 
segOOt 


J . Ull-'l 

3:01D4 




mov 


31, UDr n , T 

[si+6] , ex 








segt 
segt 


300: 
300: 


0231 
0232 


inc 
cmp 


di 
di, ax 










segOOt 
segOOt 


):01D7 
3:01D9 




mov 
mov 


dl, 80h ; 'C, 1 
ah, 42h ; 'B 1 






! L - 


segt 
segt 


300: 
300: 


0234 
0236 


jnz 
shl 


short loc 1E5 
edx, lOh 










segOOt 


3:01DB 




int 


13h ; DISK 








segt 


300: 


023A 














segOOt 


3:01DD 




push 


es 








segt 


300: 


023A loc_23A 




; 


CODE 


XREF: su 


b_lCF+A6Jj 




segOOt 


3:01DE 




pop 


ds 






r«--4- 


segt 


300: 


023A | 


mov 


esi, [bx] 








1 — 


segOOt 


3:01DF 




jnb 


short loc 1E2 








segt 


300: 


023D 


cmp 


esi, 3Eh ; '>' 










segOOt 
segOOt 


):01E1 
3:01E1 


locret 1E1: 




; CODE 


£REF: sub_lCF+l 


Hi 




segt 
segt 


300: 
300: 


0241 
0243 


ja 

shl 


short locret 1E1 
si, 9 










segOOt 


3:01E1 






; sub 1 


:f+72;j 






segt 


300: 


0246 


lea 


si, [si+7E00h] 








r^ 


segOOt 

ODrvrifl 


):01E1 
i ■ m it? 




retn 










segt 


300: 


024A 


mov 


di, bx 










seguu 
segOOt 


J . UlLi 

3:01E2 














segt 
segt 


300: 
300: 


024C 
024E 


sub 
s hi- 


di, bp 
di, 2 










segOOt 


):01E2 


loc_lE2: 




; CODE 


£REF: sub_lCF+l 


oTj 




segi 


300: 


0251 


de c 


di 








! * 


segOOt 
segOOt 
segOOt 
segOOt 


3:01E2 
3:01E5 
3:01E5 
3:01E5 


loc_lE5: 


xor 


ecx, ecx 

; CODE 
; sub 1 


SREF: sub_lCF+2 

:f+33;j ... 


W 




segt 
segt 
segt 
segt 


300: 
300: 
300: 
300: 


0252 
0255 
0259 
025C 


shl 
lea 
mov 


di, 9 

di, [di+lOOh] 

ex, 200h 








! r+ 


segOOt 


3:01E5 




inc 


cl 








segt 


300: 


025C loc_25C 






CODE 


XREF: su 


b_lCF+9FJj 


i ■ 


segOOt 


3:01E7 




cmp 


cl, 3Eh ; ■>' 






j r — ►■ 


segt 


300: 


025C 


lodsb 








j+: 


segOOt 
segOOt 
segOOt 


3:01EA 
3:01EC 
3:01EF 




ja 
mov 

shl 


short locret 1E1 
ebx, ecx 
bx, 9 






■ 


segt 
segt 
segt 


300: 
300: 
300: 


025D 
025F 
0261 


xor 
mov 


dh, al 
ah, 8 










segOOt 


):01F2 




lea 


bx, [bx+7E00h] 








segt 


300: 


0261 loc_261 




; 


CODE 


XREF: su 


b_lCF+9CJj 




segOOt 
segOOt 


3:01F6 
3:01FA 




movzx 
cmp 


eax, byte ptr [bx] 
al, 3Eh ; '>' 






| r -+- 


segt 
segt 


300: 
300: 


0261 
02 63 


shl 
jnb 


dx, 1 

short loc 2 69 








i j-- 


segOOt 
segOOt 


3:01FC 
):01FE 




ja 


short loc 1E5 






i i ■ 


segt 
segt 


300: 
300: 


02 65 
02 69 


xor 


dx, 102 lh 










segOOt 


):01FE 


loc_lFE: 




; CODE 


£REF: sub_27F+3 


3JJ 




segt 


300: 


02 69 loc_2 69 






CODE 


XREF: su 


b_lCF+94Tj 




segOOt 


3:01FE 






; DATA 


£REF: sub_27F+3 


OJo 


! L > i 


segt 


300: 


02 69 


dec 


ah 










segOOt 


):01FE 




cmp 


eax, [bx+4] 






i k... 


segt 


300: 


02 6B 


jnz 


short loc 261 








1 ^M 


segOOt 


3:0202 




jbe 


short loc 1E5 








segt 


300: 


02 6D 


stosb 












segOOt 


3:0204 




cmp 


ecx, [ebx+eax*4] 






1 L...J 


f 


300: 


02 6E 


1 nnvi 


loc 25C 




































qprffin 


3:0209 






short loc 1E5 
























1 f" 
















segt 


300: 


0270 


sub 


bx, 4 










segOOi 


3:020E 






eax, [ebx+eax*4+4] 










































segt 


300: 


0273 


cmp 


bx, bp 








! i-J 


segOOt 
segOOt 
segOOt 
segOOt 
segOOt 


3:0211 
3:0213 
3:0216 
3:02 IB 
3: 02 ID 




jnz 

mov 

movzx 

mov 

lea 


short loc 1E5 

dx, [bx+2] 

ebp, byte ptr [bx+1] 

si, bp 

bp, [ebx+ebp*4+4] 






l : 


segt 
segt 
segt 
segt 
segt 


300: 
300: 
300: 
300: 
300: 


0275 
0277 
027C 
027E 
027E sub 1CF 


jnz 

shld 

sub 

retn 

endp 


short loc 23A 
eax, edx, lOh 
ax, dx 










segOOi 


3:0222 




lea 


bx, [ebx+eax*4-4] 
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Detecting the Rootkit Agent 



A single file to look for: 

* system32\rpcnet.exe (Normal Agent) 

* system32\rpcnetp.exe (BIOS Persistent Agent) 

A service called "Remote Procedure Call (RPC) Net" with no 
escription 



* Outgoing connections to search.namequery.com 
(209.53.113.223) 



Our Computrace Option Rom Dumper tool 
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Deactivating: 



Easiest way: hosts file redirection 
* Modifying BIOS (only unsigned BIOS!) 
Modifying configuration block (Registry, hard-disk, etc.) 
Modifying nvram, then full HD Wipe. 
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' US 6,300,863 Bl Pat. 
Figure 8A 

<■ Filed Mar 24 1998, 
Absolute Corporation 

v Agent inside mode 
Option ROM 



* Support for DOS 
Backdooring 



MODEM CARD OR MODULI 



FLASH EPROM 



\Vmodem FIRMWARE*! 



, MODEM AGENT \ 



PROGRAMMABLE 

DSP OR 

PROCESSOR 




PHONE LINES 



ISA BUS CONNECTION TO CPU 
FOR CONFIGURATION AND STATUS 



See "Implementing and Detecting a PCI Rootkit", Heasman, BlackHat 2007 
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The Future: 



' Phoenix Failsafe: 

Inside SMM, sounds familiar? 

Always-on OS-independent, Wifi and GPS tracking 

It has "safe" in the name instead of "trace" 

' Intel Anti-theft technology: 
vPro technology 

Using AMT secondary processor 
Works even with the notebook turned off! 

* Other security aplications residing in BIOS 



Strong authentication: "Trust us, is for your own protection". 
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This is only the begginning 




